The General Data Protection Regulation (GDPR) is a set of data protection rules issued by the European Union. The regulation came into force on May 25th in 2018, and introduced severe fines against those who violate the European privacy and security standards. Although the GDPR rules were drafted and passed by the European Union, businesses outside of the EU can also be affected. This is because the GDPR regulation imposes obligations on businesses anywhere in the world who manage or handle any data that belongs to EU citizens (their clients).
👉 NEW! Get an EU-US DPF self-certification for your business
What Is the Purpose of GDPR?
The primary aim of GDPR is to give individuals control over their personal data and to simplify the regulatory environment for international business.
Personal data is defined as anything that relates to a human being. It includes anything that could identify a person through their data including names, location data, biometric data, images, and any IP and cookies (internet related) data. The information doesn’t need to be “private”– even information which is public knowledge or is about someone’s professional life can be personal data.
Under GDPR there are also a few special categories of sensitive personal data that are given even greater protection. This personal data includes information about the racial or ethnic origin, political opinions, religious beliefs, membership of trade unions, genetic and biometric data, health information and data around a person's sex life or sexual orientation.
👉 Get GDPR support for your business
Do I Need GDPR Compliance?
Most companies now collect personal information to some extent. Privacy laws deal with the protection of personal identifiers, such as a name, email or IP-address (personally identifiable information), as well as with any information about individuals that you collect (personal data).
📚 Learn more: what is DPF self-certification for businesses?
Personal data includes website traffic, login, and cookie data, as well as all possible website accounts, public profiles, and event registration and contact forms. Any details of employees that are captured and processed in electronic form also count as personal data.
Examples of companies that need privacy compliance procedures are:
- SaaS providers that either collect information from their users directly or receive sets of collected data from their clients;
- e-Commerce companies that have a website with forms that collect data such as registration information, product orders, or contact details;
- Companies that use analytics or cookies on their websites;
- Employers who collect data with regard to their employees’ personal details, work performance, and legal information (e.g., sick leave records).
If your company collects any of these types of information, you will need to comply with data protection regulations.
💡 Worth checking: The Ultimate Privacy Compliance Guide
Does the UK Have Specific GDPR Requirements?
European countries were given the ability to make their own small alterations to the GDPR regulations in order to meet their own needs. The UK chose to introduce the Data Protection Act (2018) which replaced the previous 1998 Data Protection Act.
Since the end of the Brexit transition period on 31st December 2020, EU GDPR rules no longer apply in the UK. However, all the provisions of Data Protection Act 2018 are still legally binding.
💡 Worth checking: how to navigate the UK’s AI regulations
Understand and Act on GDPR Regulations
Every company will need to respond to these new regulations differently, however, most companies will be obligated to take some steps to be GDPR compliant. If you want to know more about the essential steps your business must take towards GDPR compliance, explore these resources:
Explore GDPR packages for startups
Vlad is Head of DPO Product @Legal Nodes and a certified (CIPP/E, CIPM, FIP) privacy specialist. He's currently doing a PhD study on the topic of AI and personal data protection.